Privacy Policy
Effective June 9, 2026 · Last updated June 9, 2026 · Irmu LLC · Contact: info@aitarapilot.com
Irmu LLC ("Irmu", "we", "us") operates AitaraPilot (the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the choices and rights you have. We aim to collect only what we need to make the Service work for you.
1. Who we are and scope
For purposes of EU/UK data protection law, Irmu is the "controller" of personal information you provide to the Service. This Policy applies to the Service and does not cover third-party sites or services we link to.
2. Information we collect
We collect the following categories of personal information:
- Identifiers: name (if provided), email address, account ID, IP address, device identifiers.
- Account and authentication data: hashed credentials, login timestamps, OAuth provider IDs.
- Case content (Your Content): documents, notes, facts, and other information you upload or enter about your legal matter, which can include sensitive information about you and third parties.
- Derived case data: structured timelines, parties, claims, citations, risks, and similar facts extracted from Your Content by the Service.
- Commercial information: subscription status, transaction history, and limited payment metadata from Stripe (e.g., card brand, last four digits, ZIP). We do not store full card numbers.
- Internet activity: pages viewed, features used, error events, approximate location derived from IP, and timestamps.
- Communications: messages you send to support and any feedback you submit.
- Sensitive personal information (CCPA/CPRA): legal-matter content you upload may include sensitive categories such as health, financial, immigration, religious, or precise demographic information. We process this information only to provide the Service to you and not for inferring characteristics about you.
3. Sources of personal information
- Directly from you (account sign-up, uploads, support).
- Automatically from your device and browser (cookies, log data).
- From service providers (Stripe for payment metadata; identity providers for OAuth sign-in).
4. How we use information
- To provide the Service: parse Your Content, build your case dashboard, store your work, and let you return to it.
- To authenticate you and secure your account.
- To process payments, manage subscriptions, and prevent fraud.
- To diagnose problems, monitor performance, and improve reliability and quality.
- To communicate with you about your account, security, and material changes to the Service.
- To comply with legal obligations and enforce our Terms.
5. Legal bases (EU/UK)
If GDPR or UK GDPR applies to you, we rely on the following legal bases:
- Contract: to provide the Service you have signed up for (Art. 6(1)(b)).
- Legitimate interests: to secure and improve the Service, prevent abuse, and communicate with you (Art. 6(1)(f)), balanced against your rights.
- Legal obligation: to comply with tax, accounting, and other laws (Art. 6(1)(c)).
- Consent: where required (e.g., for certain cookies). You can withdraw consent at any time without affecting prior processing.
- Special category data (Art. 9): legal-matter content may include special category data. We process it only to provide the Service to you, with your explicit consent (which you give by uploading the content) and as necessary for the establishment, exercise, or defense of legal claims.
6. AI processing
To extract structured information and answer questions about Your Content, we send relevant text from Your Content to large-language-model APIs operated by OpenAI, L.L.C. Per OpenAI's API terms, content sent through the API is not used to train OpenAI's foundation models. We do not share Your Content with any model provider for training purposes. AI processing is core to the Service; if you do not want your content processed by AI, do not upload it.
7. Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | United States |
| OpenAI, L.L.C. | AI extraction, summarization, and chat | United States |
| Stripe, Inc. | Payment processing | United States / global |
| Cloudflare, Inc. | Hosting, content delivery, security | Global edge network |
8. Sharing and disclosure
We share personal information with: (a) the sub-processors listed above, under written contracts that restrict their use of the information; (b) professional advisors (lawyers, accountants, auditors) under duties of confidentiality; (c) authorities when required by law, valid legal process, or to protect rights, safety, and property; and (d) a successor entity in connection with a merger, acquisition, financing, or sale of assets (in which case we will notify you).
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.
9. International transfers
We are based in the United States, and our sub-processors may store or process data in the United States or other countries. When we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed adequate, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum. You may request a copy of the safeguards by emailing info@aitarapilot.com.
10. Retention
We retain personal information for as long as your account is active and for a reasonable period after, so you can return to your matter. You can delete a case or your account at any time from your account settings or by emailing info@aitarapilot.com. Deleted content is removed from active systems immediately and purged from routine backups within 30 days. We may retain a limited subset of information longer when required for legal, accounting, tax, fraud-prevention, or dispute-resolution purposes.
11. Security
We use industry-standard safeguards, including TLS encryption in transit, encryption at rest for stored files, row-level security on user data, scoped access controls, audit logging, and regular dependency updates. No system is perfectly secure. If we become aware of a security incident that affects your personal information, we will notify you and the relevant authorities as required by applicable law.
12. Your rights
12.1 Rights available to everyone
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your account and associated content.
- Export Your Content in a portable format.
- Opt out of marketing emails using the unsubscribe link or by emailing us (we will continue to send transactional messages).
12.2 California residents (CCPA/CPRA)
If you are a California resident, you have the right to: (a) know the categories and specific pieces of personal information we collect, use, disclose, and share; (b) request deletion or correction of your personal information; (c) opt out of "sale" or "sharing" of personal information (we do not sell or share); (d) limit our use and disclosure of sensitive personal information to what is necessary to provide the Service (we already operate this way); (e) be free from discrimination for exercising your rights; (f) appeal a denial of a rights request; and (g) designate an authorized agent to act on your behalf, subject to verification.
We do not offer any financial incentive in exchange for personal information. We honor the Global Privacy Control (GPC) browser signal as a valid opt-out of sale/sharing. California's "Shine the Light" law: we do not share personal information with third parties for their direct marketing purposes.
12.3 EU/UK residents (GDPR/UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to access, rectify, erase, restrict, object to, and port your personal information, and to withdraw consent where processing is based on consent. You may lodge a complaint with your local data protection authority; in the UK, the Information Commissioner's Office (ico.org.uk).
13. How to exercise your rights
Email info@aitarapilot.com from the address on your account, or use account-level tools where provided. We may need to verify your identity before responding. We will respond within the time required by applicable law (typically 30–45 days). There is no charge for reasonable requests.
14. Cookies and tracking
We use a small number of essential cookies and similar browser storage technologies. See our Cookie Policy for details. We honor Global Privacy Control (GPC) signals as an opt-out of any sale or sharing of personal information. We do not respond to "Do Not Track" headers because there is no industry-standard meaning for them today.
15. Children
The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, email info@aitarapilot.com and we will delete it.
16. Automated decision-making
The Service uses automated processing to extract and summarize information from Your Content. This processing is not used to make decisions with legal or similarly significant effects on you under Article 22 of the GDPR; outputs are advisory tools that you review and act on yourself.
17. Changes to this Policy
We will post any changes to this Policy on this page with an updated effective date. If changes are material, we will provide additional notice (for example, by email or in-product banner).
18. Contact
Controller: Irmu LLC
5437 Cove Cir, Naples, FL 34119, USA
Email: info@aitarapilot.com